20.1 Overview of Configuring Single Sign-on for Administration Consoles in an Enterprise Deployment

You assign WebLogic Administration groups, update boot.properties, and restart the servers. Then you install and configure WebGate and validate the setup. After WebGate is installed and configured, the Oracle HTTP Server intercepts requests for the consoles and forwards them to Oracle Access Manager for validation

The administration consoles referred to in the chapter title are:

Oracle Enterprise Manager Fusion Middleware Control

Oracle WebLogic Server Administration Console

Oracle Access Manager Console

Oracle Identity Manager Console

20.2 Prerequisites

Before you attempt to integrate administration consoles with single sign-on, ensure that the following tasks have been performed in the IDMDomain:

20.3 Create WebLogic Security Providers

This section describes how to integrate administration consoles with single sign-on. You need to perform the procedures in this section if you have placed Oracle Identity Manager into a separate domain.

In an enterprise, it is typical to have a centralized Identity Management domain where all users, groups and roles are provisioned and multiple application domains (such as a SOA domain and WebCenter Portal domain). The application domains are configured to authenticate using the central Identity Management domain.

In Section 11.5, "Preparing the Identity Store" you created a user called weblogic_idm and assigned it to the group IDM Administrators. To be able to manage WebLogic using this account you must add the IDM administrators group to the list of Weblogic Administration groups. This section describes how to add the IDM Administrators Group to the list of WebLogic Administrators.

If you are using a single domain topology, perform the following tasks on IDMDomain.

If you are using a split domain topology, perform these tasks on both IDMDomain and OIMDomain.

On the Summary of Security Realms page, click myrealm under the Realms table.

On the Settings page for myrealm, click the Roles & Policies tab.

On the Realm Roles page, expand the Global Roles entry under the Roles table. This brings up the entry for Roles. Click the Roles link to go to the Global Roles page.

On the Global Roles page, click the Admin role to go to the Edit Global Role page:

On the Edit Global Roles page, under the Role Conditions table, click the Add Conditions button.

On the Choose a Predicate page, select Group from the drop down list for predicates and click Next.

On the Edit Arguments Page, Specify IDM Administrators in the Group Argument field and click Add.

Click Finish to return to the Edit Global Rule page.

The Role Conditions table now shows the IDM Administrators Group as an entry.

Click Save to finish adding the Admin role to the IDM Administrators Group.

Validate that the changes were successful by bringing up the WebLogic Administration Server Console using a web browser. Log in using the credentials for the weblogic_idm user.

20.5 Register EM with OPSS Security Provider

If you are using a split domain you must register the Oracle Enterprise Manager Fusion Middleware Control application with the OPSS policy store in order for logout to work correctly in the IDMDomain. This is not necessary in the OIMDomain.

To register Fusion Middleware Control, proceed as follows.

Start WLST using the command:

MW_HOME/oracle_common/common/bin/wlst.sh

Connect to the IDMDomain using the WLST connect() command, as follows:

20.6 Updating the boot.properties File

Update the boot.properties file for the Administration Server and the managed servers with the WebLogic admin user created in Oracle Internet Directory. For a single domain topology, you must update the boot.properties file on IDMHOST1. For a split domain topology, you must also update boot.properties on OIMHOST1. Follow the steps in the following sections to update the file.

20.7.2 Making Special gcc Libraries Available

Oracle Web Gate requires special versions of gcc libraries to be installed (Linux only). These library files must exist somewhere on the Linux system. The Web Gate installer asks for the location of these library files at install time. Download the libraries from http://gcc.gnu.org, as described in "Installing Third-Party GCC Libraries (Linux and Solaris Operating Systems Only)" in Oracle Fusion Middleware Installation Guide for Oracle Identity Management

20.7.3 Installing Oracle WebGate on WEBHOST1 and WEBHOST2

Before you install Oracle WebGate, ensure that the Managed Servers WLS_OAM1 and WLS_OAM2 are started.

Install Oracle WebGate as described in the following sections.

20.7.3.1 Oracle WebGate 10g

Start the Web Gate installer by issuing the command:

Oracle_Access_Managerversion_linux_OHS11g_WebGate -gui

Then perform the following steps:

On the Welcome to the InstallShield Wizard for Oracle Access Manager WebGate screen.

Click Next.

On the Customer Information screen, enter the username and group that the Oracle Access Manager server uses. This should be the same as the user and group that installed the Oracle HTTP Server. The default value for username and group is nobody. For example, enter oracle/oinstall.

On the next Configure Web Server screen, specify the full path of the directory containing the httpd.conf file. The httpd.conf file is located under the following directory:

/u01/app/oracle/admin/ohsInstance/config/OHS/ohsComponentName

For example:

/u01/app/oracle/admin/ohs_instance2/config/OHS/ohs2/httpd.conf

Click Next.

On the next Configure Web Server page, a message informs you that the Web Server configuration has been modified for WebGate.

Click Next.

The next screen, Configure Web Server, displays the following message:

If the web server is setup in SSL mode, then httpd.conf file needs to be configured with the SSL related parameters. To manually tune your SSL configuration, please follow the instructions that come up.

Click Next.

The next screen, Configure Web Server, displays a message with the location of the document that has information on the rest of the product setup, as well as Web Server configuration.

Select No and click Next.

The final Configure Web Server screen appears with a message to manually launch a browser and open the HTML document for further information on configuring your Web Server.

Click Next.

The Oracle COREid Readme screen appears. Review the information on the screen and click Next.

A message appears, along with the details of the installation, informing you that the installation was successful.